Skip to content

Commit

Permalink
Gossip: Learn certificate at validation time
Browse files Browse the repository at this point in the history 
When an AliveMessage enters the routine that handles all messages,
It is first validated and only then the certificate may be learned
from the alive message, but then it is validated again when it is
learned because the identity store validates the cert when it attempts
to store it.

This is redundant, we may simply learn the cert at validation time as
part of storing the cert (gossip/identity/identityMapper:Put also
validates a cert, and even checks if the calculated PKI-ID matches
the claimed PKI-ID)

Change-Id: I90900818aef3b51c413384df989f4e63073401f6
Signed-off-by: Yacov Manevich <yacovm@il.ibm.com>
  • Loading branch information
@yacovm
yacovm committed Mar 5, 2017
1 parent ed7ed80 commit bc7f9d8
Showing 1 changed file with 1 addition and 19 deletions.
20 changes: 1 addition & 19 deletions gossip/gossip/gossip_impl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,19 +285,6 @@ func (g *gossipServiceImpl) handleMessage(m proto.ReceivedMessage) {
}

if msg.IsAliveMsg() {
am := msg.GetAliveMsg()
storedIdentity, _ := g.idMapper.Get(common.PKIidType(am.Membership.PkiId))
// If peer's certificate is included inside AliveMessage, and we don't have a mapping between
// its PKI-ID and certificate, create a mapping for it now.
if identity := am.Identity; identity != nil && storedIdentity == nil {
err := g.idMapper.Put(common.PKIidType(am.Membership.PkiId), api.PeerIdentityType(identity))
if err != nil {
g.logger.Warning("Failed adding identity of", am, "into identity store:", err)
return
}
g.logger.Info("Learned identity of", am.Membership.PkiId)
}

added := g.aliveMsgStore.Add(msg)
if !added {
return
Expand Down Expand Up @@ -771,13 +758,8 @@ func (sa *discoverySecurityAdapter) ValidateAliveMsg(m *proto.SignedGossipMessag
// If identity is included inside AliveMessage
if am.Identity != nil {
identity = api.PeerIdentityType(am.Identity)
calculatedPKIID := sa.mcs.GetPKIidOfCert(identity)
claimedPKIID := am.Membership.PkiId
if !bytes.Equal(calculatedPKIID, claimedPKIID) {
sa.logger.Warning("Calculated pkiID doesn't match identity:", calculatedPKIID, claimedPKIID)
return false
}
err := sa.mcs.ValidateIdentity(api.PeerIdentityType(identity))
err := sa.idMapper.Put(claimedPKIID, identity)
if err != nil {
sa.logger.Warning("Failed validating identity of", am, "reason:", err)
return false
Expand Down

0 comments on commit bc7f9d8

Please sign in to comment.